6
   

GPU processors and internet passwords

 
 
gungasnake
 
  1  
Reply Tue 21 Jun, 2011 08:31 pm
@maxdancona,
Do all of these cracking algorithms which tokenize dictionary words assume English language?

I mean, if that's the case, I might use something like способензнать (abletoknow) as a password....
maxdancona
 
  1  
Reply Tue 21 Jun, 2011 08:43 pm
@gungasnake,
Quote:
Do all of these cracking algorithms which tokenize dictionary words assume English language?

I mean, if that's the case, I might use something like способензнать (abletoknow) as a password....


I would design an algorithm based on my target.

If I was specifically targeting a single person, I would do specific research. I would certainly use dictionaries from whatever languages you know and I would find out everything I could about your family, your profession and your activity on social websites.

On the other hand, if I had a bunch of hashes I had stolen from a bank, I would use a more generalized approach. I would guess which language and culture the customers of that bank were from.

When you are looking for something in a very large search space, the first thing you do is to figure out how to narrow the search. If you are using dictionary words, this gives me a huge step forward in figuring out the few hundred trillions of possibilities I should try first and there are quadrillions of possibilities that I know I don't even need to try.


BillRM
 
  1  
Reply Wed 22 Jun, 2011 12:23 am
@maxdancona,
When the search space is 1.44 * 10 ^75 as in my fast example you can narrow that space down by as many powers as possibles and still it would be so large as to take forever no matter how fast your hardware is.

So good luck with any claims otherwise.

maxdancona
 
  1  
Reply Wed 22 Jun, 2011 07:53 am
@BillRM,
Bill, I seem to be arguing from both sides. I started saying that outside of a few fairly simple guidelines people don't need to worry too much. But then we got into the theoretical level.

The biggest mistake people make, and by far the most important point I have made, is using the same password in different places. Let me say this again If anyone is using the same password for their bank as they use for able2know, they should change their bank password immediately.

This latest part of the discussion is theoretical. I get your point, very large search spaces lead to practically impossible searches. You are exaggerating a bit when you say "no matter how fast your hardware is" (which is mathematically incorrect).

My point is that a series of truly randomly generated characters is going to be more secure than a "easy to remember" series of words and mnemonic tricks generated by a human. In the former there is no choice but to slog through every possible password. In the latter, if I make the correct assumptions using my understanding of humans, I can drastically cut down the search space.

Does this matter? Probably not unless you are being targeted by the NSA (in which case you have more problems than your password). You are absolutely correct that getting a search space on the order of 10^75 is almost certainly sufficient even if you use mnemonics and dictionary words.

But on a theoretical level (if anyone is interested in the theoretical problem), random characters is the best way to maximize the search time.


BillRM
 
  1  
Reply Wed 22 Jun, 2011 10:11 am
@maxdancona,
We agree it would seems on most things in this area and I have a very low secure password that I used on all websites that I consider not needing top level security such as able2know.

Any banking and such websites I have complex pass phases for each in a word file on a truecrypt volumes that I cut and past from. Oh the truecrypt container and my whole disk encryption have very long and complex pass phases that only exist in my mind.

As far as completely randoms passwords that is fine and is the gold standard however doing what GRC is suggesting is more then enough for any of all likely attacks even government level brute force attacks.


0 Replies
 
DrewDad
 
  1  
Reply Wed 22 Jun, 2011 11:47 am
@maxdancona,
The best way to do it is to use a memorable phrase, not just a password that fits the minimum length and complexity requirements.

"The quick brown fox." is much harder to crack than "$DIaiso3b" just because of its length.
maxdancona
 
  1  
Reply Wed 22 Jun, 2011 05:55 pm
@DrewDad,
No Drew, you still don't understand.

Your logic is perfect as long as we are only talking about a brute force attack. You are right length of a phrase like "The quick brown fox." makes it very hard to solve using a brute force attack.

Where you are wrong is the implication that the brute force attack is the only tool hackers have. The password you propose it is relatively easy to solve using a dictionary based attack.

In high security environments, dictionary words are frowned upon. Sometimes there are even filters that keep you from putting dictionary words in your password, although there are downsides to this.

A brute force attack is the primary method for cracking random passwords. This is because any randomly generated password is equally likely to be correct. As soon as a hacker knows that a person is biased on how they will pick their passwords-- for example using dictionary words and "memorizable" phrases, it gives a tool for hackers to focus their search to more likely possibilities.

There is obviously a trade-off here. I believe it is reasonable to choose a password that is less than random in order to make it easier to memorize. Personally I would never choose a password of only dictionary words. I do use initials from sentences with numbers which is a reasonable trade-off in my view.

The technical term is "entropy" which means more or less "randomness". There is no question that higher entropy passwords are more difficult to crack. Random characters have the highest entropy possible.

Statistically based attacks have had success. We know the sequences of characters that humans are more likely to choose and so we can direct our algorithms to favor combinations of these sequences.


rosborne979
 
  1  
Reply Wed 22 Jun, 2011 06:27 pm
@maxdancona,
maxdancona wrote:
If I was specifically targeting a single person, I would do specific research.

There are also other ways to get a password without going through high-tech gyrations. Like looking on his monitor for the sticky note with his password on it (common at most places where I did Sys Admin). Or if you really want to get fancy, hide a small camera in the cubicle and film the keystrokes.

The point being that there are many different ways to hack into an account, and many different ways to try to prevent it.
parados
 
  1  
Reply Wed 22 Jun, 2011 07:25 pm
@rosborne979,
Quote:
*If* someone already has the hash to work from, right? So they need to have stolen something to start with?


Even with a GPU, there are limits to how fast they can try passwords with some encryption types.

http://www.openwall.com/articles/PHP-Users-Passwords
Quote:
Stretching

Offline password cracking (given stolen or leaked password hashes) involves computing hashes of large numbers of candidate passwords. Thus, in order to slow those attacks down, the computational complexity of a good password hashing method must be high - but of course not too high as to render it impractical.

Typical cryptographic hash functions not intended for password hashing were designed for speed. If these are directly misused for password hashing, then offline password cracking attacks may run at speeds of many million of candidate passwords per second.

These cryptographic hash functions (or even block ciphers) - let's call them "cryptographic primitives" - may be used as building blocks to construct a decent password hashing method, which would use thousands or millions of iterations of the underlying cryptographic primitive. This is called password (or key) stretching (or strengthening).

...If you go from one microsecond to one millisecond, which is clearly affordable, you make offline attacks (against stolen or leaked hashes) run 1000 times slower, or you effectively stretch your users' passwords or passphrases by about 10 bits of entropy each. That's significant - it is roughly equivalent to each passphrase containing one additional word, without actually adding that extra word and having the users memorize it.



http://en.wikipedia.org/wiki/Key_stretching

Blowfish uses key stretching which greatly increases the time even for a gpu.
http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
0 Replies
 
OmSigDAVID
 
  1  
Reply Wed 22 Jun, 2011 07:46 pm
@Walter Hinteler,
Walter Hinteler wrote:

gungasnake wrote:

That clearly is not the way the thing works. In real life the Russian mafia or somebody manages to steal an entire list of encrypted passwords from a bank or credit card organization and THEN they start doing the thing with the GPU arrays...


That's more the fault of your bank or credit card organisation.

If someone gets my passwords and my personal pins - well, okay, she/he can look at my account.

But to do anything with it, she/he must have additionally my cell phone and use the special pin(s) I get as text-message within couple of minutes.

Well, this certainly might happen ....
Is that complex, tedious to use ?
0 Replies
 
maxdancona
 
  1  
Reply Wed 22 Jun, 2011 08:09 pm
@rosborne979,
Quote:
The point being that there are many different ways to hack into an account, and many different ways to try to prevent it.


You're absolutely right. But, in the security arms race the odds are tilted toward the hackers.

For you to prevent me from cracking your security, you need to do everything correctly. For me to crack your password (or whatever security scheme) I need to find just one weakness to exploit. Defense is significantly more difficult than offense.

rosborne979
 
  1  
Reply Thu 23 Jun, 2011 05:00 am
@maxdancona,
maxdancona wrote:

Quote:
The point being that there are many different ways to hack into an account, and many different ways to try to prevent it.


You're absolutely right. But, in the security arms race the odds are tilted toward the hackers.

I think that's true when you have a specific account you're trying to break into. But if you look at the account space as a whole... billions of accounts, most without any value to hack at all, then I'm not sure there's an overall "tilt" either way.

Anonymity (or obscurity) should be included in the general defense strategy. Being just one bit of plankton in an ocean of similar plankton is a pretty good defense.
0 Replies
 
BillRM
 
  1  
Reply Thu 23 Jun, 2011 05:24 am
@maxdancona,
I do not think off hand that for anyone who bother to take a few extra security steps that hackers had any leg up in this battle.

Simple extra steps like running your browser in a sandbox placed one hell of a wall up against evil hackers.

An of course keeping your patches up to date and making sure that your pdf reader in not allow to launch other programs at the request of a PDF file ....................and so on.
0 Replies
 
DrewDad
 
  1  
Reply Thu 23 Jun, 2011 06:44 am
@maxdancona,
maxdancona wrote:
The password you propose it is relatively easy to solve using a dictionary based attack.

Once you use three or more words, there's plenty of complexity. Few dictionary attackers use more than two words, and if you include punctuation and capitalization, the password is eminently complex.

Security is my job. Requiring random passwords actually reduces your protection. 1) people will write them down and 2) people will attempt to have the shortest password that meets the policy requirement. Instead of having a 8 or more characters to guess, 90% of the time it will be exactly eight characters.
parados
 
  1  
Reply Thu 23 Jun, 2011 06:55 am
@DrewDad,
The first thing we need to do is stop calling them passwords. People see "word" and think it should be one dictionary word.

Maybe it's time to start asking for passphrases as a bit of social engineering.
BillRM
 
  1  
Reply Thu 23 Jun, 2011 08:50 am
@parados,
I think that all the readers of this thread know that the term password does not refer to dictionary word, however perhaps the term pass-string would be better if you can sell that or a similar term.
0 Replies
 
 

Related Topics

Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
Copyright © 2019 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 08/22/2019 at 06:07:34